Java Hardcoded Keystore Password
Description
Detects hardcoded passwords used with Java KeyStore's PasswordProtection class. Using hardcoded credentials in source code is a security risk as it exposes sensitive authentication data and makes password rotation difficult.
Detection Strategy
• Check if java.security.KeyStore is imported in the source file
• Look for usage of KeyStore.PasswordProtection constructor calls
• Examine if the password parameter passed to PasswordProtection is a hardcoded value (like string literal) rather than a variable or method result
• Report a vulnerability if a hardcoded password is found in the PasswordProtection constructor
Vulnerable code example
import java.security.KeyStore;
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(null, "myHardcodedPassword123".toCharArray()); // Vulnerable: Hardcoded password in source code✅ Secure code example
import java.security.KeyStore;
KeyStore keyStore = KeyStore.getInstance("PKCS12");
String password = System.getenv("KEYSTORE_PASSWORD"); // Safe: Password retrieved from environment variable
keyStore.load(null, password.toCharArray());Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.